SSLhttp://www.pcper.com
PC Perspectivehttp://www.pcper.com/images/podcast-logo-600x600.pngenRoll over Superfish, PrivDog is just as bad and comes from Comodohttp://www.pcper.com/news/General-Tech/Roll-over-Superfish-PrivDog-just-bad-and-comes-Comodo
<p>This has been a bad week for the secure socket layer and the news just keeps getting worse.&nbsp; Comodo provides around one out of every three SSL certs currently in use as they have, until now, had a stirling reputation and were a trusted provider.&nbsp; It turns out that this reputation may not be deserved seeing as how their Internet Security 2014 product ships with an application called Adtrustmedia PrivDog, which is enabled by default.&nbsp; Not only does this app install a custom root CA certificate which intercepts connections to websites to be able to insert customized ads like SuperFish does it can also turn invalid HTTPS certificates into valid ones.&nbsp; That means that an attacker can use PrivDog to spoof your banks SSL cert, redirect you to a fake page and grab your credentials, while all the time your browser reports a valid and secure connection to the site.&nbsp;</p>
<p><a href="http://www.theregister.co.uk/2015/02/24/comodo_ssl_privdog/">The only good news from The Register&#39;s article</a> is that this specific vulnerability is only present in PrivDog versions 3.0.96.0 and 3.0.97.0 and so has limited distribution.&nbsp; The fact that this indicates the entire SSL certificate model is broken and even those who create the certs to assure your security feel that inserting a man in the middle attack into their software does not contravene their entire reason for existing is incredibly depressing.</p>
<p class="rtecenter"><div class = "center-article-image"><a href="/news/General-Tech/Roll-over-Superfish-PrivDog-just-bad-and-comes-Comodo" class="inline-image-link" title="View: picarddoublefacepalm.jpg"><img src="/files/imagecache/article_max_width/news/2015-02-25/picarddoublefacepalm.jpg" alt="picarddoublefacepalm.jpg" title="picarddoublefacepalm.jpg" class="pcper-inline" width="448" height="352" /></a></div></p>
<blockquote><p>&quot;The US Department of Homeland Security&#39;s cyber-cops have slapped down PrivDog, an SSL tampering tool backed by, er, SSL certificate flogger Comodo.</p>
<p>Comodo, a global SSL authority, boasts a third of the HTTPS cert market, and is already in hot water for shipping PrivDog.&quot;</p>
</blockquote>
<p>Here is some more Tech News from around the web:</p>
<p><b><a href="http://forums.pcper.com/forumdisplay.php?f=54">Tech Talk</a></b></p>
<ul>
<li><a href="http://techreport.com/review/27853/amd-previews-carrizo-apu-offers-insights-into-power-savings" target="_blank">AMD previews Carrizo APU, offers insights into power savings @ The Tech Report</a></li>
<li><a href="http://www.theregister.co.uk/2015/02/25/amazon_dials_up_patent_for_3d_printing_service/" target="_blank">Amazon tries to patent 3D printers on trucks @ The Register</a></li>
<li><a href="http://www.theinquirer.net/inquirer/news/2396958/mozilla-firefox-36-brings-http-2-to-a-second-major-browser" target="_blank">Mozilla Firefox 36 is second major browser to bring HTTP/2 @ The Inquirer</a></li>
<li><a href="http://www.theregister.co.uk/2015/02/24/samba_remote_execution_vuln/" target="_blank">Samb-AAAHH! Scary remote execution vuln spotted in Windows-Linux interop code @ The Register</a></li>
<li><a href="http://www.digitimes.com/news/a20150225PR201.html" target="_blank">JEDEC publishes eMMC 5.1 standard @ DigiTimes</a></li>
<li><a href="http://www.theinquirer.net/inquirer/news/2396980/red-hat-traditional-virtualisation-isnt-going-anywhere" target="_blank">Red Hat: Traditional virtualisation isn&#39;t going anywhere @ The Inquirer</a></li>
</ul>
<p></p>
<p><a href="http://www.pcper.com/news/General-Tech/Roll-over-Superfish-PrivDog-just-bad-and-comes-Comodo" target="_blank">read more</a></p>http://www.pcper.com/news/General-Tech/Roll-over-Superfish-PrivDog-just-bad-and-comes-Comodo#commentsGeneral TechComodofudidiotsPrivDogsecuritySSLWed, 25 Feb 2015 17:36:52 +0000Jeremy Hellstrom62417 at http://www.pcper.comGoogle Rolling Out SSL Encrypted Search for International Usershttp://www.pcper.com/news/General-Tech/Google-Rolling-Out-SSL-Encrypted-Search-International-Users
<p>Google recently announced on their <a href="http://insidesearch.blogspot.com/2012/03/bringing-more-secure-search-around.html">Inside Search blog</a> that the company would be rolling out the default SSL encrypted search option for users signed in with a Google account internationally. Previously, the company made SSL encryption the default setting for Gmail and provided an alternative encrypted.google.com webpage for users that wanted to opt in to encrypted search. Earlier this year, they began testing SSL encrypted search and search results pages for users signed into Google in the US, and they are now ready to expand the default setting to international users.</p>
<p class="rtecenter"><div class = "center-article-image"><a href="/news/General-Tech/Google-Rolling-Out-SSL-Encrypted-Search-International-Users" class="inline-image-link" title="View: google_padlock.png"><img src="/files/imagecache/article_max_width/news/2012-03-12/google_padlock.png" alt="google_padlock.png" title="google_padlock.png" class="pcper-inline" width="600" height="324" /></a></div></p>
<p>They announced that over the next few weeks, they will begin introducing an SSL (secure socket layer) encrypted search page for localized international google pages such as google.co.uk (United Kingdom) and google.fr (France) among others. Further, they <a href="http://googleblog.blogspot.com/2011/10/making-search-more-secure.html">hope</a> that their increased SSL commitment will encourage other websites to enable SSL on their domains to protect users from MITM (man in the middle) attacks and to ensure their sessions stay private.</p>
<p>More encryption is a good thing, and international users will be pleased to finally get a taste of it for their google search queries, especially now that the big G has enabled personalized search results.</p>
<p><a href="http://www.pcper.com/news/General-Tech/Google-Rolling-Out-SSL-Encrypted-Search-International-Users" target="_blank">read more</a></p>http://www.pcper.com/news/General-Tech/Google-Rolling-Out-SSL-Encrypted-Search-International-Users#commentsGeneral TechencryptiongoogleinternationalsearchSSLTue, 13 Mar 2012 02:01:08 +0000Tim Verry53831 at http://www.pcper.comStill hope for SSL, the web ain't dead yethttp://www.pcper.com/news/General-Tech/Still-hope-SSL-web-aint-dead-yet
<p><a href="http://www.pcper.com/news/General-Tech/Sort-secure-socket-layer">SSL and secure data transfer are wounded</a>, but not dying quite yet if you use an elderly encryption protocol called RC4 or ARC4.&nbsp; Current AES&nbsp;is suggested as the preferred way of encrypting data transfers, but the BEAST (Browser Exploit Against SSL/TLS) attack is capable of defeating AES&nbsp;encryption.&nbsp; Unfortunately there are attack methods which are able to defeat RC4, specifically as it is implemented for WPA and WES&nbsp;in wireless networks.&nbsp; <a href="http://www.theregister.co.uk/2011/09/23/google_ssl_not_vulnerable_to_beast/">Google informed The Register</a> that they have been using RC4, although clients that attempt to connect which don't support that encryption method are offered the vulnerable AES&nbsp;method.&nbsp; Google also pointed out the latest developer version of Chrome protects against the BEAST&nbsp;attack but don't mention when the main version of Chrome will protect users.</p>
<p class="rtecenter"><div class = "center-article-image"><a href="/news/General-Tech/Still-hope-SSL-web-aint-dead-yet" class="inline-image-link" title="View: Broken_Key_Extractor.jpg"><img src="/files/imagecache/article_max_width/news/2011-09-26/Broken_Key_Extractor.jpg" alt="Broken_Key_Extractor.jpg" title="Broken_Key_Extractor.jpg" class="pcper-inline" width="360" height="255" /></a></div></p>
<blockquote><p>&quot;The recommendations published Friday by two-factor authentication service PhoneFactor, suggest websites use the RC4 cipher to encrypt SSL traffic instead of newer, and ironically cryptographically stronger, algorithms such as AES. Google webservers are already configured to favor RC4, according to this analysis tool from security firm Qualys. A Google spokesman says the company has used those settings &quot;for years.&quot;</p>
</blockquote>
<p>Here is some more Tech News from around the web:</p>
<p><b><a href="http://forums.pcper.com/forumdisplay.php?f=54">Tech Talk</a></b></p>
<ul>
<li><a target="_blank" href="http://semiaccurate.com/2011/09/23/analysis-rick-bergman-leaving-amd-has-no-up-side/">Rick Bergman leaving AMD has no up side @ SemiAccurate</a></li>
<li><a target="_blank" href="http://www.theregister.co.uk/2011/09/23/ms_denies_uefi_lock_in/">MS denies secure boot will exclude Linux @ The Register</a></li>
<li><a target="_blank" href="http://www.theregister.co.uk/2011/09/23/avast_buys_android_anti_theft_developer/">Avast buys Android thiefbuster developer @ The Register</a></li>
<li><a target="_blank" href="http://www.phoronix.com/vr.php?view=16459">Ubuntu 11.04 vs. Ubuntu 11.10 Benchmarks @ Phoronix</a></li>
<li><a target="_blank" href="http://techreport.com/discussions.x/21702">A case for better keyboards @ The Tech Report</a></li>
<li><a target="_blank" href="http://www.thinkcomputers.org/thinkcomputers-and-thermaltake-youtube-contest/">ThinkComputers and Thermaltake YouTube Contest</a></li>
<li><a target="_blank" href="http://tbreak.com/tech/2011/09/win-a-samsung-galaxy-sii/">Win a Samsung Galaxy SII @ t-break</a></li>
</ul>
<p>&nbsp;</p>
<p><a href="http://www.pcper.com/news/General-Tech/Still-hope-SSL-web-aint-dead-yet" target="_blank">read more</a></p>http://www.pcper.com/news/General-Tech/Still-hope-SSL-web-aint-dead-yet#commentsGeneral TechfudsecuritySSLMon, 26 Sep 2011 17:20:05 +0000Jeremy Hellstrom52378 at http://www.pcper.comSort of secure socket layerhttp://www.pcper.com/news/General-Tech/Sort-secure-socket-layer
<p>The good news about the discovery that the encryption procedure behind Secure Socket Layer and Transport Layer Security has been compromised is that the newest versions of both SSL and TLS&nbsp;are still safe and they have been available for a while now.&nbsp; The bad news is that not only do only a tiny handful of websites utilize TLS 1.1/1.2 and SSL 3.0, most browsers don't even support the updated protocols.&nbsp; Oddly Internet Explorer and Internet Information Services both support the newer protocols, though they are not enabled by default; the only one that does have TLS 1.2 enabled by default is Opera. &nbsp;</p>
<p>You don't have to immediately switch browsers, in order for your secure connection to be compromised the attacker first has to compromise your browser or machine in order to get JavaScript code to run in your browser before they can start the decryption process.&nbsp; It is not the quickest peice of programming either ... yet.&nbsp; <a href="http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/">In the proof of concept that The Register references</a> a 1000-2000 character long cookie will take about a half hour to crack, which is most likely longer than the average connection to your PayPal account will last, which is the site they used as an example.&nbsp;&nbsp; Of course if you throw a dozen Tesla cards at it and it will probably decrypt the packets at a much quicker pace.</p>
<p class="rtecenter"><div class = "center-article-image"><a href="/news/General-Tech/Sort-secure-socket-layer" class="inline-image-link" title="View: nSSL.gif"><img src="/files/imagecache/article_max_width/news/2011-09-20/nSSL.gif" alt="nSSL.gif" title="nSSL.gif" class="pcper-inline" width="384" height="301" /></a></div></p>
<blockquote><p>&quot;Researchers have discovered a serious weakness in virtually all websites protected by the secure sockets layer protocol that allows attackers to silently decrypt data that's passing between a webserver and an end-user browser.</p>
<p>The vulnerability resides in versions 1.0 and earlier of TLS, or transport layer security, the successor to the secure sockets layer technology that serves as the internet's foundation of trust. Although versions 1.1 and 1.2 of TLS aren't susceptible, they remain almost entirely unsupported in browsers and websites alike, making encrypted transactions on PayPal, GMail, and just about every other website vulnerable to eavesdropping by hackers who are able to control the connection between the end user and the website he's visiting.&quot;</p>
</blockquote>
<p>Here is some more Tech News from around the web:</p>
<p><b><a href="http://forums.pcper.com/forumdisplay.php?f=54">Tech Talk</a></b></p>
<ul>
<li><a target="_blank" href="http://www.digitimes.com/news/a20110919PD213.html">Ultrabook platform may not benefit ODMs @ DigiTimes</a></li>
<li><a target="_blank" href="http://www.digitimes.com/news/a20110919PD214.html">Intel downstream partners request CPU price drop @ DigiTimes</a></li>
<li><a target="_blank" href="http://www.digitimes.com/news/a20110919PD217.html">Intel sets to invest NT$300 million in software designer Insyde @ DigiTimes</a></li>
<li><a target="_blank" href="http://www.theregister.co.uk/2011/09/19/programming_for_windows_8/">Microsoft's high-risk Windows 8 .NET switch @ The Register</a></li>
<li><a target="_blank" href="http://semiaccurate.com/2011/09/19/a-look-at-the-windows-8-developer-preview/">A Look at the Windows 8 Developer @ SemiAccurate</a></li>
<li><a target="_blank" href="http://arstechnica.com/business/news/2011/09/cisco-bringing-virtual-switch-support-to-hyper-v-in-windows-server-8.ars">Cisco plans virtual switch for Hyper-V in Windows Server 8 @ Ars Technica</a></li>
<li><a target="_blank" href="http://www.theregister.co.uk/2011/09/19/apple_password_security_exposed/">Apple makes a hash of password security (again) @ The Register</a></li>
<li><a target="_blank" href="http://www.theinquirer.net/inquirer/feature/2109948/intel-x79-chipset-socket-2011-ready-desktop">Intel X79 chipset and Socket 2011 are ready for the desktop @ The Register</a></li>
<li><a target="_blank" href="http://www.eteknix.com/reviews/networking/asus-wl-330n3g-6-in-1-wireless-n-mobile-router-review/">Asus WL-330N3G 6 in 1 Wireless-N Mobile Router Review @ eTeknix</a></li>
<li><a target="_blank" href="http://www.techreviewsource.com/Digital-Cameras/olympus-pen-e-pm1">Olympus PEN E-PM1 Review @ TechReviewSource</a></li>
<li><a target="_blank" href="http://www.phoronix.com/vr.php?view=16444">XDC2011 Chicago Recap: Open-Source Graphics, GPGPU, OpenGL 3.0 @ Phoronix</a></li>
<li><a target="_blank" href="http://www.ngohq.com/news/20421-name-the-browser-contest.html">Name the Browser Contest - 2 Days Left! @ NGOHQ</a></li>
<li><a target="_blank" href="http://www.overclock3d.net/articles/systems/win_a_dell_xps_laptop_with_overclock3d_dell_outlet/1">Win a Dell XPS Laptop with Overclock3D &amp; Dell Outlet</a></li>
</ul>
<p>&nbsp;</p>
<p><a href="http://www.pcper.com/news/General-Tech/Sort-secure-socket-layer" target="_blank">read more</a></p>http://www.pcper.com/news/General-Tech/Sort-secure-socket-layer#commentsGeneral TechfudsecuritySSLtlsTue, 20 Sep 2011 16:02:02 +0000Jeremy Hellstrom52350 at http://www.pcper.comA quick guide to SSL and what its major maladjustment ishttp://www.pcper.com/news/General-Tech/quick-guide-SSL-and-what-its-major-maladjustment
<p><a href="http://www.pcper.com/category/tags/quakecon">While the boys were having fun at an event in Texas</a>, <a href="http://www.techwarelabs.com/black-hat-2011-ssl-and-the-future-of-authenticity/">TechwareLabs were at a show of a completely different colour</a>.&nbsp; Black Hat 2011, the yearly computer security convention was also taking place in Las Vegas, bringing to light the discoveries of the past year when it comes to vulnerabilities and how to protect yourself against them.&nbsp; One of the topics for discussion was how the Secure Socket Layer works, by assuming that a Trusted Authority is behind a security certificate which requires them to provide a secure connection between yourself and their servers.&nbsp; Over the past year we saw a hack at Comodo, who are a major Certificate Authority, which lead to nefarious people getting their hands on certificates assigned to Microsoft, Yahoo and Google, which allowed them to easily fool even a computer using SSL.&nbsp;</p>
<p>Taking that as an example of the failure of the idea of single, large CAs as the way to implement SSL. &nbsp;If you were to no longer trust Comodo and its certificates then about 1/4 of the secure sites on the net would never allow you to connect.&nbsp; Instead a programmer detailed a FireFox extension called Convergence as an alternative.&nbsp; This distributed way of dealing with Certificate authentication would allow you to switch between trusting and untrusting certain CAs without damaging your ability to connect to secure sites on the web.</p>
<p class="rtecenter"><div class = "center-article-image"><a href="/news/General-Tech/quick-guide-SSL-and-what-its-major-maladjustment" class="inline-image-link" title="View: TWL_convergence.jpg"><img src="/files/imagecache/article_max_width/news/2011-08-08/TWL_convergence.jpg" alt="TWL_convergence.jpg" title="TWL_convergence.jpg" class="pcper-inline" width="450" height="338" /></a></div></p>
<blockquote><p>&quot;This interesting presentation concerns a security protocol that you probably use everyday. It is in your browser, on the server you connect to, and bought together by a &ldquo;Certificate Authority&rdquo;. The idea behind SSL is to provide a secure connection between you, the client browser, and the server providing the sensitive data to you. For instance a Bank website is designed to provide the client with convenient access to account details, transactions, etc. But there is a major issue with a pivotal player in this process. The Certificate Authority or CA is charged with certifying the organizations to which it provides certificates. The CA is supposed to be a trustworthy entity working on behalf of us, the end users, to ensure that any organization it issues a certificate to is credible and trustworthy. After all many users depend on the CA&rsquo;s, SSL protocol, and issued certificates to enforce authentication and integrity in the online space. You have little choice but to trust the CAs and expect them to provide a high quality level of authentication services.&quot;</p>
</blockquote>
<p>Here is some more Tech News from around the web:</p>
<p><b><a href="http://forums.pcper.com/forumdisplay.php?f=54">Tech Talk</a></b></p>
<ul>
<li><a href="http://www.theinquirer.net/inquirer/news/2100176/amd-releases-sdk-llano-chips" target="_blank">AMD releases an SDK for its Llano chips @ The Inquirer</a></li>
<li><a href="http://techreport.com/discussions.x/21415" target="_blank">Some thoughts on Mac OS X Lion @ The Tech Report</a></li>
<li><a href="http://www.missingremote.com/guide/beginners-guide-installing-windows-7" target="_blank">Beginners Guide to Installing Windows 7 @ MissingRemote</a></li>
<li><a href="http://www.digitimes.com/news/a20110808PD213.html" target="_blank">Monitor makers poised to adopt IPS technology @ DigiTimes</a></li>
<li><a href="http://hardwarebistro.com/?option=com_simple_review&amp;Itemid=84&amp;review=206-Trendnet-TV-IP121WN-IP-Camera-Review" target="_blank">Trendnet TV-IP121WN @ Hardware Bistro</a></li>
<li><a href="http://arstechnica.com/web/news/2011/08/one-month-with-google-why-the-social-network-has-legs-1.ars" target="_blank">One month with Google+: why this social network has legs @ Ars Technica</a></li>
<li><a href="http://www.hardwarecanucks.com/forum/hardware-canucks-reviews/45412-cyberlink-youcam-5-webcam-software-review.html" target="_blank">Cyberlink YouCam 5 Webcam Software Review @ Hardware Canucks</a></li>
<li><a href="http://www.techwarelabs.com/top-ten-green-tips-for-your-pc/" target="_blank">Top Ten Green Tips for Your PC @ TechwareLabs</a></li>
<li><a href="http://techreport.com/articles.x/21425" target="_blank">The TR Podcast 93: A trifecta of tablets</a></li>
<li><a href="http://www.eteknix.com/competitions/weekly-giveaway-9-dirt-3-1672/" target="_blank">Last chance - Weekly Giveaway #9: Dirt 3 @ eTeknix</a></li>
<li><a href="http://www.hitechlegion.com/forum?task=viewtopic&amp;id=4440" target="_blank">Summer Icy Dock Giveaway @Hi Tech Legion</a></li>
<li><a href="http://www.thinkcomputers.org/thinkcomputers-nzxt-back-to-school-giveaway" target="_blank">ThinkComputers &amp; NZXT Back to School Giveaway!</a></li>
</ul>
<p><a href="http://www.pcper.com/news/General-Tech/quick-guide-SSL-and-what-its-major-maladjustment" target="_blank">read more</a></p>http://www.pcper.com/news/General-Tech/quick-guide-SSL-and-what-its-major-maladjustment#commentsGeneral Techblack hat 2011CAComodoSSLMon, 08 Aug 2011 17:48:14 +0000Jeremy Hellstrom52066 at http://www.pcper.com